Woodrow Hartzog is a professor of law and computer science at Northeastern University. Neil Richards is the Thomas and Karole Green Professor of Law and director of the Cordell Institute at Washington University in St. Louis.
Since the dawn of the Internet, American regulators and companies have pursued two goals to protect our privacy: that people should be in control of their data and that companies should be transparent about what they do with our data. We can see these goals detailed in the privacy policies and terms of service that we “agree” to as well as companies’ increasingly complicated systems of privacy dashboards, permissions and sharing controls.
This approach has failed us. Too often it has resulted in little more than threadbare privacy protections and cluttered inboxes. The control that companies promise us over our data ends up illusory and overwhelming. And even when they act transparently, they don’t embrace the privacy reforms we need.
And so, over the past decade, we’ve witnessed a cascade of high-profile privacy failures: the Edward Snowden disclosures, the Cambridge Analytica scandal, fake news and data breach after data breach after data breach. Big tech platforms and shadowy advertising companies make their fortunes while the rest of us are watched, nudged, exploited and exposed to cyberattacks and the manipulation of our political systems.
There’s a better way, but it requires us to reimagine the relationship between consumers and online companies in a way that places trust at the center. Being trustworthy in the digital age means companies must be discreet with our data, honest about the risk of data practices, protective of our personal information and, above all, loyal to us — the data subjects. And it’s up to our lawmakers to make it happen.
Congress stands alone among Western democracies in failing to pass a general privacy law covering all our information. The Federal Trade Commission has worked hard to be the top U.S. privacy cop, but it lacks the legal tools and financial resources needed to do the job.
The world is watching, and the economic stakes are enormous. International data flows are essential for the global economy to function without fundamentally — and expensively — restructuring the Internet. American tech companies depend on being able to smoothly bring Europeans’ data here for processing, but in 2015, a European court ruled that U.S. privacy protections were so poor that it struck down the Safe Harbor agreement, which helped enable an international flow of data. Our current data-sharing agreement with Europe, called the E.U./U.S. Privacy Shield, also seems destined to fail. If it does, we will need a good replacement.
Despite the failures of our current online privacy ecosystem, some lawmakers are considering doubling down on policies that do not work. But no matter how much control companies give us over our data, it will never work online. That’s because control and transparency place the burden on consumers to protect themselves and understand where their data is going. And they must do this for every one of the dozens (or more) online accounts they may have.
So let’s try something different. Consider the newly introduced legislation from Sen. Brian Schatz (D-Hawaii) called the Data Care Act of 2018, for which we provided feedback in its draft form. The bill, one of the first and most significant moves to establish a new American privacy identity, favors three key non-waivable obligations for companies that use the Internet to collect personal information: duties of care, loyalty and confidentiality. These duties are modeled on the privacy requirements for any fiduciary, such as doctors, lawyers or accountants — all of whom are legally required to act in good faith on behalf of their patients or clients and are bound to keep our disclosures safe and confidential.
Schatz’s legislation would apply more broadly, compelling tech companies to be discreet and secure, discouraging manipulative practices and keeping companies from elevating their short-term profits over our long-term interests. In other words, the bill would require such companies to act more like doctors than telemarketers. The bill would also give regulators the resources they need to enforce privacy protections and prohibit companies from using dense terms-of-use agreements to get us to waive those obligations. Companies would have to be trustworthy regardless of what we “agree” to online.
It’s time to take a bold step forward. The United States has an opportunity to redefine itself as the country that protects the trust that people give to companies. By embracing trust, the United States can become a leader on privacy instead of following the path of false promises and diminishing returns. Call it legal innovation, if that’s what it takes. But whatever we call it, the United States can pave the way for a safe, sustainable and profitable digital future.